+

US20050079869A1 - Mobile node authentication - Google Patents

Mobile node authentication Download PDF

Info

Publication number
US20050079869A1
US20050079869A1 US10/958,819 US95881904A US2005079869A1 US 20050079869 A1 US20050079869 A1 US 20050079869A1 US 95881904 A US95881904 A US 95881904A US 2005079869 A1 US2005079869 A1 US 2005079869A1
Authority
US
United States
Prior art keywords
mobile
mobile node
message
authentication information
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US10/958,819
Inventor
Mohamed Khalil
Kuntal Chowdhury
Haseeb Akhtar
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nortel Networks Ltd
Original Assignee
Nortel Networks Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nortel Networks Ltd filed Critical Nortel Networks Ltd
Priority to US10/958,819 priority Critical patent/US20050079869A1/en
Assigned to NORTEL NETWORKS LIMITED reassignment NORTEL NETWORKS LIMITED ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: AKHTAR, HASEEB, CHOWDHURY, KUNTAL, KHALIL, MOHAMED
Publication of US20050079869A1 publication Critical patent/US20050079869A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/02Processing of mobility data, e.g. registration information at HLR [Home Location Register] or VLR [Visitor Location Register]; Transfer of mobility data, e.g. between HLR, VLR or external networks
    • H04W8/04Registration at HLR or HSS [Home Subscriber Server]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/164Implementing security features at a particular protocol layer at the network layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W60/00Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W80/00Wireless network protocols or protocol adaptations to wireless operation
    • H04W80/04Network layer protocols, e.g. mobile IP [Internet Protocol]

Definitions

  • the invention relates generally to mobile node authentication.
  • Packet-based data networks are widely used to link various types of network elements, such a personal computers, network telephones, Internet appliances, personal digital assistants (PDAs), mobile telephones, and so forth. Many types of communications are possible over packet-based data networks, including electronic mail, web browsing, file downloads, electronic commerce transactions, voice or other forms of real-time, interactive communications, and so forth.
  • PDAs personal digital assistants
  • Many types of communications are possible over packet-based data networks, including electronic mail, web browsing, file downloads, electronic commerce transactions, voice or other forms of real-time, interactive communications, and so forth.
  • IP Internet Protocol
  • a packet sent across a data network includes a source network address (of the source network element) and a destination network address (of the destination network element). Routers in the data network route each packet over network paths based on the source and destination addresses.
  • Such communications over packet-based networks are referred to as packet-switched communications.
  • Mobility of network elements is a desired feature.
  • the point of attachment of the network element associated with the user may change.
  • the user can potentially move from his or her home network (first point of attachment) to another network, referred to as a visited or foreign network (second point of attachment).
  • the point of attachment of a mobile network element to a network can either be a wired attachment or wireless attachment.
  • An example of a wired attachment is using a network cable to connect the mobile network element to a port in a wall outlet that connects to a network.
  • An example of a wireless point of attachment is a wireless link between a mobile station and a base station of a mobile communications network (such as a cellular communications network). In the latter case, the mobile station can be a mobile telephone or any other portable device that is capable of communicating wireless signaling with base stations associated with the mobile communications network.
  • the Mobile IP protocol defines a home agent, which is a router in the home network of a mobile network element that is responsible for tunneling packets for delivery to the mobile network element when it is away from the home network.
  • the home agent maintains the current location information for the mobile network element.
  • the Mobile IP protocol also defines a foreign agent, which is a router in the visited or foreign network that the mobile network element is currently attached to. The foreign agent provides routing services to the mobile network element, and detunnels and delivers packets to the mobile network element that were tunneled by the mobile network element's home agent.
  • IPsec IP Security
  • IPsec IP Security
  • the authentication mechanism using IPsec is based on the home IP address of the mobile node. Therefore, using IPsec may prevent the mobile node from acquiring a dynamic home address. Moreover, in some cases, when the mobile node initially starts up in a network, such as a visited network, the mobile node may not be aware of its IP address. Consequently, the mobile node would not have an available IP address for executing the IPsec authentication mechanism.
  • a method of authenticating a mobile node comprises receiving, from the mobile node, a Mobile IPv6 registration request that contains authentication information.
  • a procedure is performed to authenticate the mobile node based on the authentication information contained in the registration request.
  • a reply is sent to the mobile node acknowledging successful registration.
  • FIG. 1 is a block diagram of an example arrangement of a mobile communications network having a home network and a visited or foreign network, in which an authentication mechanism according to some embodiments is implemented.
  • FIG. 2 is a message flow diagram of a process of authenticating a mobile node, in accordance with an embodiment.
  • FIGS. 3-5 illustrate formats of several messages according to some embodiments.
  • FIG. 1 illustrates an example arrangement of a wireless mobile communications network that includes a first wireless network 10 and a second wireless network 12 .
  • Each wireless network includes an arrangement of cells, with each cell having a radio base station to communicate radio frequency (RF) signals with mobile stations (e.g., mobile telephones).
  • RF radio frequency
  • the two wireless networks may be associated with different service providers.
  • FIG. 1 is an example of a mobile or wireless communications network that is implemented according to the code-division multiple access (CDMA) 2000 family of standards.
  • CDMA 2000 standards were developed by the Third Generation Partnership Project 2 (3GPP2).
  • 3GPP2 Third Generation Partnership Project 2
  • a CDMA 2000 wireless network is capable of supporting both circuit-switched services and packet-switched services.
  • TDMA time-division multiple access
  • UMTS Universal Mobile Telecommunications System
  • the wireless protocols that support packet-switched services referred to here are provided as examples only, as other protocols can be used in other embodiments.
  • Wired technologies include IEEE 802.11a, Wideband CDMA (WCDMA), General Packet Radio Service (GPRS), Global System for Mobile (GSM), and so forth.
  • WCDMA Wideband CDMA
  • GPRS General Packet Radio Service
  • GSM Global System for Mobile
  • the concept of mobility can also be applied to wired networks instead of wireless networks.
  • Mobility can also be provided in a wired communications network arrangement, in which mobile network elements are attached to a network by a wired connection.
  • a wired connection is usually in the form of a direct cable connection between the mobile network element and the respective network.
  • a wired connection arrangement can also include a wireless local area network (LAN), in which the mobile network element communicates wirelessly with base stations that are in close proximity to the mobile network element, with the base stations being wired to the network.
  • LAN wireless local area network
  • the concepts described herein for authenticating a mobile node in a network are applicable to either a wireless mobile communications network arrangement (such as CDMA or TDMA wireless network arrangement or a wireless LAN arrangement) or to a wired network arrangement.
  • the home network 12 represents one domain while the foreign network 10 represents another domain. Instead of radio networks, mobile nodes access each network through a wired connection.
  • a “mobile node” or “mobile station” refers to a mobile node or mobile station that is either a wireless or wired node.
  • the mobile communications network includes a home network 12 and a visited or foreign network 10 .
  • the mobile station 16 is associated with a subscriber of the service provider that supports the home network 12 . However, the mobile station 16 can travel to a location that is covered by the visited wireless network 10 . From the perspective of other mobile stations, the network 10 is the home network while the network 12 is potentially a visited or foreign network.
  • FIG. 1 shows that the mobile station 16 has traveled outside the coverage area of the home wireless network 12 and into the foreign wireless network 10 .
  • the foreign wireless network 10 includes a radio network 14 , which includes plural base transceiver systems (BTS) and radio network controllers (RNCs) or base station controllers (BSCs) that control radio communications in respective cells or cell sectors.
  • BTS base transceiver systems
  • RNCs radio network controllers
  • BSCs base station controllers
  • RF radio frequency
  • the home network 12 similarly also includes a radio network 44 that provides an air interface to the mobile station 17 .
  • IP Internet Protocol
  • Mobile IPv6 Mobile IPv6
  • IETF Internet Engineering Task Force
  • IPv4 IP version 4, described in RFC 791, entitled “Internet Protocol,” dated September 1981; while another version of IP is IPv6, described in RFC 2460, entitled “Internet Protocol, Version 6 (IPv6) Specification,” dated December 1998.
  • IPv6 IP version 6
  • packets or other units of data carry routing information (in the form of network addresses) that are used to route the packets or data units over one or more paths to a destination endpoint.
  • routing information in the form of network addresses
  • some embodiments can be applied in networks using other packet-switched protocols and mobility protocols.
  • the radio network 14 or 44 is coupled to a respective mobile switching center (MSC) 18 or 46 , which is responsible for switching mobile station-originated or mobile station-terminated traffic.
  • MSC mobile switching center
  • the MSC 18 or 46 is the interface for signaling end user traffic between the wireless network 10 or 12 and public switched networks, such as a public switched telephone network (PSTN) 20 , or other MSCs.
  • PSTN 20 is connected to landline terminals, such as telephones 22 .
  • the wireless network 10 or 12 is also capable of supporting packet-switched data services, in which packet data is communicated between the mobile station and another endpoint, which can be a terminal coupled to a packet-based data network 24 or another mobile station that is capable of communicating packet data.
  • packet-based data network 24 include private networks (such as local area networks or wide area networks) and public networks (such as the Internet). Packet data is communicated in a packet-switched communications session established between the mobile station and the other endpoint.
  • the radio network 14 or 44 manages the relay of packets with a packet data serving node (PDSN) 26 or 42 .
  • PDSN packet data serving node
  • other types of entities are involved in communicating mobile station-originated or mobile station-terminated packet data.
  • a node such as the PDSN 26 or 42
  • packet service node a node in the wireless network that manages the communication of packet-data.
  • the PDSN 26 or 42 establishes, maintains, and terminates link layer sessions to mobile stations, and routes mobile station-originated or mobile station-terminated packet data traffic.
  • the PDSN 26 or 42 is coupled to the packet-based data network 24 , which is connected to various endpoints, such as a computer 28 or a network telephone 30 .
  • packet-switched communications include web browsing, electronic mail, text chat sessions, file transfers, interactive game sessions, voice-over-IP (Internet Protocol) sessions, and so forth.
  • packet-switched communications utilize a connectionless internetwork layer defined by IP.
  • a lightweight protocol is implemented. This lightweight protocol is less processing intensive than the IP Security (Ipsec) protocol that is conventionally used for authenticating a mobile node.
  • the lightweight protocol enables authentication of the mobile node to be performed by inserting an authentication information element into registration messages that already have to be exchanged between a mobile node and a home agent 40 to register the mobile node.
  • the authentication information element allows the home agent to authenticate the mobile node.
  • a network access identifier (NAI) information element and a replay attack protection information element can also be included in the registration messages.
  • NAI network access identifier
  • the mobile node When a mobile node first starts up in a mobile network, the mobile node performs a registration procedure with a home agent (e.g., 40 ).
  • a home agent e.g., 40
  • the home agent 40 in one implementation, is part of the PDSN 40 . Alternatively, the home agent 40 can be a separate component. Note also that a foreign agent 64 is provided in the PDSN 26 of the visited network 10 .
  • the mobile node sends a Binding Update message to its home agent.
  • additional information elements provided in the Binding Update message include: (1) a network access identifier (NAI) of the mobile node, (2) authentication information to enable authentication of the mobile node by the home agent, and (3) identifier (ID) mobility information to be used for replay attack protection.
  • Replay attack refers to an attack in which a hacker monitors packets over a network to copy information from the packets so that the hacker can gain unauthorized access to the network.
  • Binding Update message containing the NAI of the mobile node
  • MN-NAI Mobility Option for storing the NAI of the mobile node
  • Authentication Mobility Option for storing the authentication information
  • ID Mobility Option for storing ID information
  • the Authentication, MN-NAI, and ID Mobility Options are part of the mobility header of the Binding Update message.
  • the mobility header is an extension header used by mobile nodes, home agents, and other nodes in messaging related to the creation and management of bindings.
  • the home agent is able to use the NAI, along with the authentication information element, to perform an authentication procedure with an Authentication, Authorization, and Accounting (AAA) server for authenticating the mobile node.
  • AAA Authentication, Authorization, and Accounting
  • the NAI element allows the mobile node to obtain a new home IP address.
  • PPP Point-to-Point Protocol
  • PPP Point-to-Point Protocol
  • the mechanism can also be used when the mobile node is changing its home IP address, either because of renumbering of it home network or because the mobile node periodically changes IP addresses.
  • the ID Mobility Option contains either a timestamp or a nonce (a random number or a combination of a random number and timestamp) for replay attack protection. For example, if a timestamp is included, then a home agent would be able to discard messages during a replay attack that are determined to be too old based on a comparison of a current time with the timestamp contained in the ID Mobility Option.
  • FIG. 2 shows a message flow diagram of a process of authenticating a mobile node by a home agent, in accordance with an embodiment.
  • the mobile node can be mobile station 16 ( FIG. 1 ), mobile station 17 , or any other mobile node.
  • the mobile node sends (at 102 ) an ICMP (Internet Control Message Protocol) Home Agent Address Discovery Request through a PDSN to the packet data network.
  • ICMP Internet Control Message Protocol
  • ICMP Internet Control Message Protocol
  • RFC 792 entitled “Internet Control Message Protocol,” dated September 1981.
  • the ICMP Home Agent Address Discovery Request is received by the home agent (e.g., 40 in FIG.
  • the reply message contains a list of all available home agents.
  • the mobile node selects (at 106 ) the home agent from the list, and optionally generates a home IP address of the mobile node based on information from the home agent. Selection of the home agent can be based on various criteria, such as an order of the home agents in the list. Alternatively, the home IP address of the mobile node can be assigned later.
  • the mobile node then sends a Binding Update message (at 108 ) to the selected home agent.
  • the Binding Update message contains the Authentication, MN-NAI, and ID Mobility Options, in accordance with some embodiments.
  • the remaining content of the Binding Update message includes a home IP address field (to carry the home address of the mobile node) and other information elements as defined by the IPv6 specification, according to one implementation.
  • the mobile node may send a zero value in the home IP address field of the Binding Update message.
  • the home agent allocates a unique home IP address for the mobile node based on the NAI contained in the Binding Update message.
  • the home agent Upon receiving the Binding Update message, the home agent checks (at 109 ) the validity of an Authenticator field (described in connection with FIG. 5 ) in the Authentication Mobility Option of the Binding Update message. The validity is based on a shared secret key contained in the Authenticator field.
  • the home agent checks (at 110 ) for a replay attack using the ID field in the ID Mobility Option of the Binding Update message. The home agent checks to ensure that the timestamp is not different from that current time by more than a predetermined time period (e.g., 500 milliseconds).
  • the home agent indicates an error has occurred by sending back a Binding Acknowledgment message with an error code.
  • the mobile node may update the ID field value in a subsequent Binding Update message.
  • the home agent sends (at 112 ) an Access-Request to a home Authentication, Authorization, and Accounting (AAA) server 38 ( FIG. 1 ).
  • AAA Authentication, Authorization, and Accounting
  • a foreign AAA server 66 is provided in the visited network 10 .
  • the home AAA server 38 provides authentication and authorization services for a mobile node that is attempting to connect to a home network.
  • the authentication and authorization services provided by the home AAA server 38 are based on the NAI of the mobile node and information in the Authentication Mobility Option.
  • the NAI that is communicated in the Access-Request message is the NAI extracted from the Binding Update message.
  • the Access-Request message also includes the Authenticator field extracted from the Authentication Mobility Option in the Binding Update message.
  • Mobile IP AAA is described in RFC 2977, entitled “Mobile IP Authentication, Authorization, and Accounting Requirements,” dated October 2000.
  • the Access-Request message is according to a RADIUS (Remote Authentication Dial In User Service) protocol, as described in RFC 2138, dated April 1997.
  • RADIUS Remote Authentication Dial In User Service
  • other forms of messages can be employed between the home agent and the home AAA server.
  • the home AAA server authenticates (at 114 ) the mobile node and sends back (at 116 ) an Access-Accept message (also a RADIUS message according to one implementation) to indicate successful authentication.
  • an Access-Accept message also a RADIUS message according to one implementation
  • the authentication performed by the AAA server is based on the NAI of the MN-NAI Mobility Option as well as on authentication information in the Authentication Mobility Option of the Binding Update message.
  • the home agent then performs (at 118 ) duplicate address detection for the home address communicated in the Binding Update message to detect if a duplicate address has been assigned. If the duplicate address detection has been successfully performed, the home agent sends back (at 120 ) a Binding Acknowledgment message which essentially contains much of the same information as in the Binding Update message.
  • the Binding Acknowledgment message contains the MN-NAI Mobility Option, Authentication Mobility Option, and the ID Mobility Option that were communicated in the Binding Update message.
  • the Binding Acknowledgment message also contains a home IP address field to carry the home IP address of the mobile node. Note that the ID Mobility Option in the Binding Acknowledgment message can be used by the mobile node to protect against a replay attack.
  • the tasks of FIG. 2 performed by the mobile node can be implemented in a mobile IP layer 50 ( FIG. 1 ) and/or other software layers in the mobile node (e.g. mobile station 17 in FIG. 1 ).
  • the mobile station 17 depicted in FIG. 1 also includes a radio interface 52 to communicate over a radio link with the radio network 44 .
  • the software layers of the mobile station 17 are executable on a central processing unit (CPU) 54 .
  • Data and instructions in the mobile station 17 can be stored in a storage 56 .
  • the tasks of FIG. 2 performed by the home agent can also be performed in a Mobile IP layer 58 ( FIG. 1 ) and/or other software layers.
  • the software layers of the home agent are executable on a CPU 60 , and data and instructions can be storage 62 .
  • FIG. 3 illustrates an example format of the MN-NAI Mobility Option contained in the Binding Update or Binding Acknowledgment message.
  • the MN-NAI Mobility Option contains a Type field 202 to indicate the type of option, and a Length field 204 to indicate the length of the NAI that is contained in an NAI field 206 .
  • An example of an NAI is user1@nortelnetworks.com. Note that the NAI of the mobile node is different from the IP address of the mobile node.
  • the ID Mobility Option of the Binding Update or Binding Acknowledgment message contains a Type field 302 , a Length field 304 , and an ID field 306 that contains either a nonce or a timestamp.
  • the Authentication Mobility Option is depicted in FIG. 5 .
  • This option contains a Type field 402 , a Length field 404 to indicate the length of a Subtype field 406 , SPI field 408 , and Authenticator field 410 (combined).
  • the Subtype field 406 is a number assigned to identify the entity and/or mechanism to be used to authenticate the message.
  • the SPI field 408 is used to identify the particular security association to use to authenticate the message.
  • the Authenticator field 410 contains the information to authenticate the mobile node.
  • the Authentication Mobility Option is the last option in a message that contains a mobility header.
  • the Authenticator field 410 contains the first 96 bits of a hash function (defined by HMAC_SHA1) of the following two data elements: MN-HA Shared Key, Mobility Data.
  • the hash function is a one-way hash function, such as SHA-1 (secure hash algorithm-1) to enable secure communication of the shared key.
  • the MN-HA Shared Key is the shared secret key between the mobile node and the home agent. If the home agent does not have a copy of this shared key, the home agent can access the home AAA server 38 ( FIG. 1 ) to retrieve the key to perform authentication operations.
  • the care-of address is the IP address (in a visited network) to which packets addressed to a mobile node's home address are routed.
  • the home address is the IP address of the mobile node in the home network.
  • the MH Data contains information in the mobility header of the Binding Update message.
  • the SPI is from the SPI field 408 of the Authentication Mobility Option ( FIG. 5 ).
  • the home agent Upon receiving a Binding Update message ( 108 in FIG. 2 ) from the mobile node, the home agent extracts the content of the Authenticator field 410 and SPI field 408 from the Authentication Mobility Option ( FIG. 5 ). The home agent also extracts the NAI from the NAI field 206 of the MN-NAI Mobility Option ( FIG. 3 ). The NAI, Authenticator and SPI values are included in the Access-Request (or other type of message) sent by the home agent to the AAA server.
  • the lightweight authentication mechanism By using the lightweight authentication mechanism according to some embodiments, a more efficient authentication procedure than those offered by conventional mechanisms, such as IPsec, is provided. For example, the relatively lengthy session setup time for IPsec can be avoided by use of the lightweight authentication mechanism according to some embodiments. Also, the lightweight authentication mechanism allows for more efficient usage of processing resources of mobile nodes.
  • the tasks performed by the home agent (or other equivalent entity in a home network) and mobile station are provided by software in the home agent and mobile station. Instructions of such software routines or modules are stored on one or more storage devices in the corresponding systems and loaded for execution on corresponding processors.
  • the processors include microprocessors, microcontrollers, processor modules or subsystems (including one or more microprocessors or microcontrollers), or other control or computing devices.
  • a “controller” refers to hardware, software, or a combination thereof.
  • a “controller” can refer to a single component or to plural components (whether software or hardware).
  • Data and instructions (of the software) are stored in respective storage devices, which are implemented as one or more machine-readable storage media.
  • the storage media include different forms of memory including semiconductor memory devices such as dynamic or static random access memories (DRAMs or SRAMs), erasable and programmable read-only memories (EPROMs), electrically erasable and programmable read-only memories (EEPROMs) and flash memories; magnetic disks such as fixed, floppy and removable disks; other magnetic media including tape; and optical media such as compact disks (CDs) or digital video disks (DVDs).
  • DRAMs or SRAMs dynamic or static random access memories
  • EPROMs erasable and programmable read-only memories
  • EEPROMs electrically erasable and programmable read-only memories
  • flash memories magnetic disks such as fixed, floppy and removable disks; other magnetic media including tape
  • CDs compact disks
  • DVDs digital video disks
  • the instructions of the software are loaded or transported to each entity in one of many different ways. For example, code segments including instructions stored on floppy disks, CD or DVD media, a hard disk, or transported through a network interface card, modem, or other interface device are loaded into the entity and executed as corresponding software routines or modules.
  • data signals that are embodied in carrier waves (transmitted over telephone lines, network lines, wireless links, cables, and the like) communicate the code segments, including instructions, to the entity.
  • carrier waves are in the form of electrical, optical, acoustical, electromagnetic, or other types of signals.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

To authenticate a mobile node, a Mobile IPv6 registration request is received from the mobile node, where the registration request contains authentication information. One example of the Mobile IPv6 registration request is a Mobile IPv6 Binding Update message. A procedure to authenticate the mobile node is performed based on the authentication information contained in the registration request.

Description

    CROSS-REFERENCE TO RELATED APPLICATION
  • This claims the benefit under 35 U.S.C. § 119(e) of U.S. Provisional Application Ser. No. 60/510,607, entitled “Mobile IPv6 Authentication and Authorization,” filed Oct. 13, 2003, which is hereby incorporated by reference.
    • TECHNICAL FIELD
  • The invention relates generally to mobile node authentication.
    • BACKGROUND
  • Packet-based data networks are widely used to link various types of network elements, such a personal computers, network telephones, Internet appliances, personal digital assistants (PDAs), mobile telephones, and so forth. Many types of communications are possible over packet-based data networks, including electronic mail, web browsing, file downloads, electronic commerce transactions, voice or other forms of real-time, interactive communications, and so forth.
  • One type of a packet-based network is an Internet Protocol (IP)-based network. Communications over a packet-based network is performed using packets or datagrams that are typically sent in bursts from a source to one or more destination points. A network element is typically assigned a network address (e.g., an IP address). A packet sent across a data network includes a source network address (of the source network element) and a destination network address (of the destination network element). Routers in the data network route each packet over network paths based on the source and destination addresses. Such communications over packet-based networks are referred to as packet-switched communications.
  • Mobility of network elements (such as notebook computers or PDAs) is a desired feature. As a user travels between different points, the point of attachment of the network element associated with the user may change. The user can potentially move from his or her home network (first point of attachment) to another network, referred to as a visited or foreign network (second point of attachment). The point of attachment of a mobile network element to a network can either be a wired attachment or wireless attachment. An example of a wired attachment is using a network cable to connect the mobile network element to a port in a wall outlet that connects to a network. An example of a wireless point of attachment is a wireless link between a mobile station and a base station of a mobile communications network (such as a cellular communications network). In the latter case, the mobile station can be a mobile telephone or any other portable device that is capable of communicating wireless signaling with base stations associated with the mobile communications network.
  • To provide enhanced flexibility and convenience in allowing a user to change points of attachment across different networks, the Mobile IP protocol has been defined. One version of Mobile IP is Mobile IPv6. The Mobile IP protocol defines a home agent, which is a router in the home network of a mobile network element that is responsible for tunneling packets for delivery to the mobile network element when it is away from the home network. The home agent maintains the current location information for the mobile network element. The Mobile IP protocol also defines a foreign agent, which is a router in the visited or foreign network that the mobile network element is currently attached to. The foreign agent provides routing services to the mobile network element, and detunnels and delivers packets to the mobile network element that were tunneled by the mobile network element's home agent.
  • A concern associated with use of a mobile node that can traverse different networks is authentication of the mobile node. The base specification of Mobile IPv6, mandates that the IP Security (IPsec) protocol be used between a mobile node and a home agent for authentication of the mobile node. Although IPsec may offer relatively strong protection, the implementation of IPsec may not be practical in all cases. For example, IPsec is processing intensive; as a result, in small handheld devices, IPsec may consume a relatively large portion of the available processing capacity of such a device. A further concern with such devices is the fact that the power available from the battery may be limited, and the processing load placed by IPsec may cause relatively quick depletion of the available battery capacity.
  • The authentication mechanism using IPsec is based on the home IP address of the mobile node. Therefore, using IPsec may prevent the mobile node from acquiring a dynamic home address. Moreover, in some cases, when the mobile node initially starts up in a network, such as a visited network, the mobile node may not be aware of its IP address. Consequently, the mobile node would not have an available IP address for executing the IPsec authentication mechanism.
    • SUMMARY
  • In general, methods and apparatus are provided to efficiently authenticate a mobile node. For example, a method of authenticating a mobile node comprises receiving, from the mobile node, a Mobile IPv6 registration request that contains authentication information. A procedure is performed to authenticate the mobile node based on the authentication information contained in the registration request. A reply is sent to the mobile node acknowledging successful registration.
  • Other or alternative features will become apparent from the following description, from the drawings, and from the claims.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 is a block diagram of an example arrangement of a mobile communications network having a home network and a visited or foreign network, in which an authentication mechanism according to some embodiments is implemented.
  • FIG. 2 is a message flow diagram of a process of authenticating a mobile node, in accordance with an embodiment.
  • FIGS. 3-5 illustrate formats of several messages according to some embodiments.
    • DETAILED DESCRIPTION
  • In the following description, numerous details are set forth to provide an understanding of some embodiments. However, it will be understood by those skilled in the art that embodiments may be practiced without these details and that numerous variations or modifications from the described embodiments may be possible.
  • FIG. 1 illustrates an example arrangement of a wireless mobile communications network that includes a first wireless network 10 and a second wireless network 12. Each wireless network includes an arrangement of cells, with each cell having a radio base station to communicate radio frequency (RF) signals with mobile stations (e.g., mobile telephones). The two wireless networks may be associated with different service providers.
  • Note that the arrangement shown in FIG. 1 is an example of a mobile or wireless communications network that is implemented according to the code-division multiple access (CDMA) 2000 family of standards. The CDMA 2000 standards were developed by the Third Generation Partnership Project 2 (3GPP2). A CDMA 2000 wireless network is capable of supporting both circuit-switched services and packet-switched services.
  • Other types of mobile communications networks can be employed in other embodiments, such as those networks based on time-division multiple access (TDMA) protocols. One example of a TDMA protocol that supports packet-switched services is the UMTS (Universal Mobile Telecommunications System) standard. The wireless protocols that support packet-switched services referred to here are provided as examples only, as other protocols can be used in other embodiments.
  • Other wireless technologies to which some embodiments can be applied include IEEE 802.11a, Wideband CDMA (WCDMA), General Packet Radio Service (GPRS), Global System for Mobile (GSM), and so forth. As noted above, the concept of mobility can also be applied to wired networks instead of wireless networks.
  • Mobility can also be provided in a wired communications network arrangement, in which mobile network elements are attached to a network by a wired connection. A wired connection is usually in the form of a direct cable connection between the mobile network element and the respective network. Alternatively, a wired connection arrangement can also include a wireless local area network (LAN), in which the mobile network element communicates wirelessly with base stations that are in close proximity to the mobile network element, with the base stations being wired to the network. The concepts described herein for authenticating a mobile node in a network are applicable to either a wireless mobile communications network arrangement (such as CDMA or TDMA wireless network arrangement or a wireless LAN arrangement) or to a wired network arrangement. In the wired context, the home network 12 represents one domain while the foreign network 10 represents another domain. Instead of radio networks, mobile nodes access each network through a wired connection.
  • In the ensuing discussion, a “mobile node” or “mobile station” refers to a mobile node or mobile station that is either a wireless or wired node.
  • As shown in FIG. 1, from the perspective of a given mobile station 16, the mobile communications network includes a home network 12 and a visited or foreign network 10. The mobile station 16 is associated with a subscriber of the service provider that supports the home network 12. However, the mobile station 16 can travel to a location that is covered by the visited wireless network 10. From the perspective of other mobile stations, the network 10 is the home network while the network 12 is potentially a visited or foreign network.
  • FIG. 1 shows that the mobile station 16 has traveled outside the coverage area of the home wireless network 12 and into the foreign wireless network 10. However, note that another mobile station 17 has remained in its home wireless network. The foreign wireless network 10 includes a radio network 14, which includes plural base transceiver systems (BTS) and radio network controllers (RNCs) or base station controllers (BSCs) that control radio communications in respective cells or cell sectors. Once attached to the foreign wireless network 10, the mobile station 16 is able to communicate control signaling and traffic over radio frequency (RF) signals or other wireless signals with the radio network 14. The home network 12 similarly also includes a radio network 44 that provides an air interface to the mobile station 17.
  • Seamless mobility between networks in a packet-switched environment, such as an Internet Protocol (IP) environment, is defined by Mobile IP. A version of Mobile IP (Mobile IPv6) is described in Internet Engineering Task Force (IETF) Internet Draft, entitled “IP Mobility Support in IPv6, draft-ietf-mobileip-ipv6-24.txt,” dated June 2003, or RFC 3775, entitled “Mobility Support for IPv6,” dated June 2004. As used here, the term “Mobile IP” or “Mobile IPv6” refers to the Mobile IPv6 as well as any subsequent Mobile IP protocol that evolves from or is derived from the Mobile IPv6 protocol. One version of IP is IPv4, described in RFC 791, entitled “Internet Protocol,” dated September 1981; while another version of IP is IPv6, described in RFC 2460, entitled “Internet Protocol, Version 6 (IPv6) Specification,” dated December 1998. In packet-switched communications, packets or other units of data carry routing information (in the form of network addresses) that are used to route the packets or data units over one or more paths to a destination endpoint. However, note that some embodiments can be applied in networks using other packet-switched protocols and mobility protocols.
  • For communicating circuit-switched voice or other traffic, the radio network 14 or 44 is coupled to a respective mobile switching center (MSC) 18 or 46, which is responsible for switching mobile station-originated or mobile station-terminated traffic. Effectively, the MSC 18 or 46 is the interface for signaling end user traffic between the wireless network 10 or 12 and public switched networks, such as a public switched telephone network (PSTN) 20, or other MSCs. The PSTN 20 is connected to landline terminals, such as telephones 22.
  • The wireless network 10 or 12 is also capable of supporting packet-switched data services, in which packet data is communicated between the mobile station and another endpoint, which can be a terminal coupled to a packet-based data network 24 or another mobile station that is capable of communicating packet data. Examples of the packet-based data network 24 include private networks (such as local area networks or wide area networks) and public networks (such as the Internet). Packet data is communicated in a packet-switched communications session established between the mobile station and the other endpoint.
  • To communicate packet data, the radio network 14 or 44 manages the relay of packets with a packet data serving node (PDSN) 26 or 42. With other types of wireless protocols, other types of entities are involved in communicating mobile station-originated or mobile station-terminated packet data. More generally, a node (such as the PDSN 26 or 42) in the wireless network that manages the communication of packet-data is referred to as a “packet service node.”
  • The PDSN 26 or 42 establishes, maintains, and terminates link layer sessions to mobile stations, and routes mobile station-originated or mobile station-terminated packet data traffic. The PDSN 26 or 42 is coupled to the packet-based data network 24, which is connected to various endpoints, such as a computer 28 or a network telephone 30. Examples of packet-switched communications include web browsing, electronic mail, text chat sessions, file transfers, interactive game sessions, voice-over-IP (Internet Protocol) sessions, and so forth. In one embodiment, packet-switched communications utilize a connectionless internetwork layer defined by IP.
  • To authenticate a mobile node in a mobile network (e.g., wireless network 10 or 12) according to Mobile IPv6, a lightweight protocol according to some embodiments is implemented. This lightweight protocol is less processing intensive than the IP Security (Ipsec) protocol that is conventionally used for authenticating a mobile node. The lightweight protocol enables authentication of the mobile node to be performed by inserting an authentication information element into registration messages that already have to be exchanged between a mobile node and a home agent 40 to register the mobile node. The authentication information element allows the home agent to authenticate the mobile node. In addition to the authentication information element, a network access identifier (NAI) information element and a replay attack protection information element can also be included in the registration messages.
  • When a mobile node first starts up in a mobile network, the mobile node performs a registration procedure with a home agent (e.g., 40). The home agent 40, in one implementation, is part of the PDSN 40. Alternatively, the home agent 40 can be a separate component. Note also that a foreign agent 64 is provided in the PDSN 26 of the visited network 10.
  • As part of the registration procedure according to Mobile IPv6, the mobile node sends a Binding Update message to its home agent. In accordance with some embodiments, additional information elements provided in the Binding Update message include: (1) a network access identifier (NAI) of the mobile node, (2) authentication information to enable authentication of the mobile node by the home agent, and (3) identifier (ID) mobility information to be used for replay attack protection. Replay attack refers to an attack in which a hacker monitors packets over a network to copy information from the packets so that the hacker can gain unauthorized access to the network.
  • These additional information elements of the Binding Update message are referred to as an MN-NAI Mobility Option (for storing the NAI of the mobile node), an Authentication Mobility Option (for storing the authentication information), and an ID Mobility Option (for storing ID information). The Authentication, MN-NAI, and ID Mobility Options are part of the mobility header of the Binding Update message. The mobility header is an extension header used by mobile nodes, home agents, and other nodes in messaging related to the creation and management of bindings.
  • By including the NAI in the Binding Update message, the home agent is able to use the NAI, along with the authentication information element, to perform an authentication procedure with an Authentication, Authorization, and Accounting (AAA) server for authenticating the mobile node. Also, the NAI element allows the mobile node to obtain a new home IP address. Such a mechanism is useful when the mobile node has established a PPP (Point-to-Point Protocol) session while the mobile node does not yet have a home IP address. PPP is described in RFC 1661, entitled “The Point-to-Point Protocol (PPP),” dated July 1994. The mechanism can also be used when the mobile node is changing its home IP address, either because of renumbering of it home network or because the mobile node periodically changes IP addresses.
  • The ID Mobility Option contains either a timestamp or a nonce (a random number or a combination of a random number and timestamp) for replay attack protection. For example, if a timestamp is included, then a home agent would be able to discard messages during a replay attack that are determined to be too old based on a comparison of a current time with the timestamp contained in the ID Mobility Option.
  • FIG. 2 shows a message flow diagram of a process of authenticating a mobile node by a home agent, in accordance with an embodiment. The mobile node can be mobile station 16 (FIG. 1), mobile station 17, or any other mobile node. Initially, when the mobile node first starts up, the mobile node sends (at 102) an ICMP (Internet Control Message Protocol) Home Agent Address Discovery Request through a PDSN to the packet data network. Note that the PDSN acts as a router in this case. ICMP is described by RFC 792, entitled “Internet Control Message Protocol,” dated September 1981. The ICMP Home Agent Address Discovery Request is received by the home agent (e.g., 40 in FIG. 1) or by any other designated router within the visited network 10 (as configured by the visited network operator), which responds (at 104) with an ICMP Home Agent Address Discovery Reply message. The reply message contains a list of all available home agents. Upon receipt of the list of home agents, the mobile node selects (at 106) the home agent from the list, and optionally generates a home IP address of the mobile node based on information from the home agent. Selection of the home agent can be based on various criteria, such as an order of the home agents in the list. Alternatively, the home IP address of the mobile node can be assigned later.
  • The mobile node then sends a Binding Update message (at 108) to the selected home agent. The Binding Update message contains the Authentication, MN-NAI, and ID Mobility Options, in accordance with some embodiments. The remaining content of the Binding Update message includes a home IP address field (to carry the home address of the mobile node) and other information elements as defined by the IPv6 specification, according to one implementation.
  • In some cases, the mobile node may send a zero value in the home IP address field of the Binding Update message. In response to this, the home agent allocates a unique home IP address for the mobile node based on the NAI contained in the Binding Update message.
  • Upon receiving the Binding Update message, the home agent checks (at 109) the validity of an Authenticator field (described in connection with FIG. 5) in the Authentication Mobility Option of the Binding Update message. The validity is based on a shared secret key contained in the Authenticator field. Next, the home agent checks (at 110) for a replay attack using the ID field in the ID Mobility Option of the Binding Update message. The home agent checks to ensure that the timestamp is not different from that current time by more than a predetermined time period (e.g., 500 milliseconds). If the timestamp check indicates that the current time is greater than the timestamp by the predetermined amount, then the home agent indicates an error has occurred by sending back a Binding Acknowledgment message with an error code. In response to this error, the mobile node may update the ID field value in a subsequent Binding Update message.
  • Assuming that the check indicates that the Binding Update message is not part of a replay attack, the home agent sends (at 112) an Access-Request to a home Authentication, Authorization, and Accounting (AAA) server 38 (FIG. 1). Note that a foreign AAA server 66 is provided in the visited network 10. The home AAA server 38 provides authentication and authorization services for a mobile node that is attempting to connect to a home network. The authentication and authorization services provided by the home AAA server 38 are based on the NAI of the mobile node and information in the Authentication Mobility Option. In this case, the NAI that is communicated in the Access-Request message is the NAI extracted from the Binding Update message. The Access-Request message also includes the Authenticator field extracted from the Authentication Mobility Option in the Binding Update message. Mobile IP AAA is described in RFC 2977, entitled “Mobile IP Authentication, Authorization, and Accounting Requirements,” dated October 2000. The Access-Request message is according to a RADIUS (Remote Authentication Dial In User Service) protocol, as described in RFC 2138, dated April 1997. However, in other embodiments, other forms of messages can be employed between the home agent and the home AAA server.
  • In response to the Access-Request message, the home AAA server authenticates (at 114) the mobile node and sends back (at 116) an Access-Accept message (also a RADIUS message according to one implementation) to indicate successful authentication. Note that the authentication performed by the AAA server is based on the NAI of the MN-NAI Mobility Option as well as on authentication information in the Authentication Mobility Option of the Binding Update message.
  • The home agent then performs (at 118) duplicate address detection for the home address communicated in the Binding Update message to detect if a duplicate address has been assigned. If the duplicate address detection has been successfully performed, the home agent sends back (at 120) a Binding Acknowledgment message which essentially contains much of the same information as in the Binding Update message. In particular, according to some embodiments, the Binding Acknowledgment message contains the MN-NAI Mobility Option, Authentication Mobility Option, and the ID Mobility Option that were communicated in the Binding Update message. The Binding Acknowledgment message also contains a home IP address field to carry the home IP address of the mobile node. Note that the ID Mobility Option in the Binding Acknowledgment message can be used by the mobile node to protect against a replay attack.
  • The tasks of FIG. 2 performed by the mobile node can be implemented in a mobile IP layer 50 (FIG. 1) and/or other software layers in the mobile node (e.g. mobile station 17 in FIG. 1). The mobile station 17 depicted in FIG. 1 also includes a radio interface 52 to communicate over a radio link with the radio network 44. The software layers of the mobile station 17 are executable on a central processing unit (CPU) 54. Data and instructions in the mobile station 17 can be stored in a storage 56.
  • Similarly, the tasks of FIG. 2 performed by the home agent can also be performed in a Mobile IP layer 58 (FIG. 1) and/or other software layers. The software layers of the home agent are executable on a CPU 60, and data and instructions can be storage 62.
  • FIG. 3 illustrates an example format of the MN-NAI Mobility Option contained in the Binding Update or Binding Acknowledgment message. The MN-NAI Mobility Option contains a Type field 202 to indicate the type of option, and a Length field 204 to indicate the length of the NAI that is contained in an NAI field 206. An example of an NAI is user1@nortelnetworks.com. Note that the NAI of the mobile node is different from the IP address of the mobile node.
  • As shown in FIG. 4, the ID Mobility Option of the Binding Update or Binding Acknowledgment message contains a Type field 302, a Length field 304, and an ID field 306 that contains either a nonce or a timestamp.
  • The Authentication Mobility Option is depicted in FIG. 5. This option contains a Type field 402, a Length field 404 to indicate the length of a Subtype field 406, SPI field 408, and Authenticator field 410 (combined). The Subtype field 406 is a number assigned to identify the entity and/or mechanism to be used to authenticate the message. The SPI field 408 is used to identify the particular security association to use to authenticate the message. The Authenticator field 410 contains the information to authenticate the mobile node. In one implementation, the Authentication Mobility Option is the last option in a message that contains a mobility header.
  • The Authenticator field 410 contains the following information:
    Authenticator=First (96, HMAC_SHA1 (MN-HA Shared Key, Mobility Data)).
  • Basically, the Authenticator field 410 contains the first 96 bits of a hash function (defined by HMAC_SHA1) of the following two data elements: MN-HA Shared Key, Mobility Data. The hash function is a one-way hash function, such as SHA-1 (secure hash algorithm-1) to enable secure communication of the shared key. The MN-HA Shared Key is the shared secret key between the mobile node and the home agent. If the home agent does not have a copy of this shared key, the home agent can access the home AAA server 38 (FIG. 1) to retrieve the key to perform authentication operations.
  • The Mobility Data contained in the Authenticator field is defined as follows:
    Mobility Data=care-of address|home address|MH Data|SPI.
  • The care-of address is the IP address (in a visited network) to which packets addressed to a mobile node's home address are routed. The home address is the IP address of the mobile node in the home network. The MH Data contains information in the mobility header of the Binding Update message. The SPI is from the SPI field 408 of the Authentication Mobility Option (FIG. 5).
  • Upon receiving a Binding Update message (108 in FIG. 2) from the mobile node, the home agent extracts the content of the Authenticator field 410 and SPI field 408 from the Authentication Mobility Option (FIG. 5). The home agent also extracts the NAI from the NAI field 206 of the MN-NAI Mobility Option (FIG. 3). The NAI, Authenticator and SPI values are included in the Access-Request (or other type of message) sent by the home agent to the AAA server.
  • By using the lightweight authentication mechanism according to some embodiments, a more efficient authentication procedure than those offered by conventional mechanisms, such as IPsec, is provided. For example, the relatively lengthy session setup time for IPsec can be avoided by use of the lightweight authentication mechanism according to some embodiments. Also, the lightweight authentication mechanism allows for more efficient usage of processing resources of mobile nodes.
  • The tasks performed by the home agent (or other equivalent entity in a home network) and mobile station are provided by software in the home agent and mobile station. Instructions of such software routines or modules are stored on one or more storage devices in the corresponding systems and loaded for execution on corresponding processors. The processors include microprocessors, microcontrollers, processor modules or subsystems (including one or more microprocessors or microcontrollers), or other control or computing devices. As used here, a “controller” refers to hardware, software, or a combination thereof. A “controller” can refer to a single component or to plural components (whether software or hardware).
  • Data and instructions (of the software) are stored in respective storage devices, which are implemented as one or more machine-readable storage media. The storage media include different forms of memory including semiconductor memory devices such as dynamic or static random access memories (DRAMs or SRAMs), erasable and programmable read-only memories (EPROMs), electrically erasable and programmable read-only memories (EEPROMs) and flash memories; magnetic disks such as fixed, floppy and removable disks; other magnetic media including tape; and optical media such as compact disks (CDs) or digital video disks (DVDs).
  • The instructions of the software are loaded or transported to each entity in one of many different ways. For example, code segments including instructions stored on floppy disks, CD or DVD media, a hard disk, or transported through a network interface card, modem, or other interface device are loaded into the entity and executed as corresponding software routines or modules. In the loading or transport process, data signals that are embodied in carrier waves (transmitted over telephone lines, network lines, wireless links, cables, and the like) communicate the code segments, including instructions, to the entity. Such carrier waves are in the form of electrical, optical, acoustical, electromagnetic, or other types of signals.
  • While some embodiments have been disclosed with respect to a limited number of embodiments, those skilled in the art will appreciate numerous modifications and variations there from. It is intended that the appended claims cover such modifications and variations as fall within the true spirit and scope of the invention.

Claims (26)

1. A method of authenticating a mobile node, comprising:
receiving, from the mobile node, a Mobile IPv6 registration request, the registration request containing authentication information;
performing a procedure to authenticate the mobile node based on the authentication information contained in the Mobile IPv6 registration request; and
sending a reply to the mobile node acknowledging successful registration.
2. The method of claim 1, wherein receiving the Mobile IPv6 registration request containing the authentication information comprises receiving the Mobile IPv6 registration request containing authentication information that is different from Internet Protocol Security information.
3. The method of claim 1, wherein receiving the Mobile IPv6 registration request comprises receiving a Mobile IPv6 registration request that contains the authentication information and a network access identifier.
4. The method of claim 3, wherein receiving the Mobile IPv6 registration request comprises receiving a Mobile IPv6 registration request that contains the authentication information, network access identifier, and a replay protection field, the method further comprises:
checking for a replay attack based on the replay protection field.
5. The method of claim 4, wherein the replay protection field contains at least one of a timestamp and a nonce, wherein checking for the replay attack is based on the at least one of the timestamp and nonce.
6. The method of claim 1, wherein receiving the Mobile IPv6 registration request comprises receiving a Mobile IPv6 Binding Update message.
7. The method of claim 5, wherein sending the reply to the mobile node comprises sending a Mobile IPv6 Binding Acknowledgment message, the Binding Acknowledgment message containing the authentication information.
8. The method of claim 7, further comprising adding the authentication information, a network access identifier, and a replay protection field to the Binding Acknowledgment message.
9. The method of claim 8, wherein the replay protection field comprises at least one of a timestamp and a nonce to enable checking for a reply attack by the mobile node.
10. The method of claim 7, wherein the authentication information includes a Security Parameter Index value and an Authenticator value, the Authenticator value containing at least a portion of a value derived by hashing information containing at least a secret key shared between the mobile node and a home agent.
11. The method of claim 1, further comprising:
extracting the authentication information from the Mobile IPv6 registration request; and
in response to the Mobile IPv6 registration request, sending a message to an Authentication, Authorization and Accounting (AAA) server to perform the authentication procedure.
12. The method of claim 1, wherein the authentication information includes a Security Parameter Index value and an Authenticator value, the Authenticator value containing at least a portion of a value derived by hashing information containing at least a secret key shared between the mobile node and a home agent.
13. An article comprising at least one storage medium containing instructions that when executed cause a system in a mobile network to:
receive a Mobile IPv6 registration message, the registration message containing authentication information used to authenticate a mobile node in the mobile network.
14. The article of claim 13, wherein the authentication information is different from Internet Protocol Security information.
15. The article of claim 13, wherein the system comprises a mobile station, wherein the instructions when executed cause the mobile station to receive a Mobile IPv6 Binding Acknowledgment message that contains the authentication information.
16. The article of claim 15, wherein receiving the Mobile IPv6 Binding Acknowledgment message comprises receiving a Mobile IPv6 Binding Acknowledgment message that contains the authentication information and a network access identifier of the mobile node.
17. The article of claim 13, wherein the system comprises a home agent, wherein the instructions when executed cause the home agent to receive a Mobile IPv6 Binding Update message, the Mobile IPv6 Binding Update message containing the authentication information.
18. The article of claim 17, wherein the instructions when executed cause the home agent to further send an access request to an Authentication, Authorization, Accounting server to perform an authentication procedure, wherein the message sent to the AAA server contains the authentication information in the Mobile IPv6 Binding Update message.
19. The article of claim 13, wherein the Mobile IPv6 registration message further contains a replay protection field, wherein the instructions when executed cause the system to further detect for a replay attack using the replay protection field in the Mobile IPv6 registration message.
20. The article of claim 13, wherein receiving the Mobile IPv6 registration message comprises receiving a Mobile IPv6 registration message that further contains a network access identifier of the mobile node.
21. The article of claim 13, wherein the authentication information contains a Security Parameter Index value and an Authenticator value, where the Authenticator value contains at least a portion of a value derived from hashing information containing at least a secret shared key between a mobile node and a home agent.
22. A mobile node comprising:
an interface to communicate with a mobile network that contains a home agent; and
a controller to:
send a Binding Update message to the home agent, wherein the Binding Update message contains an authentication field to enable the home agent to authenticate the mobile node; and
receive a Binding Acknowledgment message from the home agent, wherein the Binding Acknowledgment message indicates that the mobile node has been successfully authenticated by the home agent.
23. The mobile node of claim 22, wherein the Binding Update message further contains a network access identifier of the mobile node.
24. The mobile node of claim 23, wherein the Binding Update message further contains a replay attack protection field.
25. The mobile node of claim 22, wherein the authentication field contains information different from Internet Protocol Security information.
26. The mobile node of claim 25, wherein the Binding Update message comprises a Mobile IPv6 Binding Update message.
US10/958,819 2003-10-13 2004-10-05 Mobile node authentication Abandoned US20050079869A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US10/958,819 US20050079869A1 (en) 2003-10-13 2004-10-05 Mobile node authentication

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US51060703P 2003-10-13 2003-10-13
US10/958,819 US20050079869A1 (en) 2003-10-13 2004-10-05 Mobile node authentication

Publications (1)

Publication Number Publication Date
US20050079869A1 true US20050079869A1 (en) 2005-04-14

Family

ID=34435111

Family Applications (1)

Application Number Title Priority Date Filing Date
US10/958,819 Abandoned US20050079869A1 (en) 2003-10-13 2004-10-05 Mobile node authentication

Country Status (5)

Country Link
US (1) US20050079869A1 (en)
EP (1) EP1676397A4 (en)
KR (1) KR101102228B1 (en)
CN (1) CN1890917B (en)
WO (1) WO2005036813A1 (en)

Cited By (32)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050091492A1 (en) * 2003-10-27 2005-04-28 Benson Glenn S. Portable security transaction protocol
US20050136950A1 (en) * 2003-11-07 2005-06-23 Ntt Docomo, Inc. Mobile communication system, extension transmission/reception device, base station, radio network controller and mobile station
US20050159157A1 (en) * 2004-01-20 2005-07-21 Nokia Corporation Authentications in a communication system
US20060077925A1 (en) * 2004-10-08 2006-04-13 Telefonaktiebolaget Lm Ericsson (Publ) Enhancement of AAA routing initiated from a home service network involving intermediary network preferences
US20060077924A1 (en) * 2004-10-08 2006-04-13 Telefonaktiebolaget Lm Ericsson (Publ) Terminal-assisted selection of intermediary network for a roaming mobile terminal
US20060077926A1 (en) * 2004-10-08 2006-04-13 Telefonaktiebolaget Lm Ericsson (Publ) Home network-assisted selection of intermediary network for a roaming mobile terminal
US20060160524A1 (en) * 2005-01-20 2006-07-20 Utstarcom, Inc. Method and apparatus to facilitate the support of communications that require authentication when authentication is absent
US20060168111A1 (en) * 2004-11-30 2006-07-27 Gidwani Sanjay M Distributed disparate wireless switching network
US20060259969A1 (en) * 2005-05-13 2006-11-16 Samsung Electronics Co., Ltd. Method of preventing replay attack in mobile IPv6
US20070002787A1 (en) * 2005-06-30 2007-01-04 Vidya Narayanan Method of dynamically assigning mobility configuration parameters for mobile entities
WO2007027895A2 (en) * 2005-09-02 2007-03-08 Tekelec System for providing third party control of access to media content
US20070067794A1 (en) * 2005-09-02 2007-03-22 Tekelec Methods, systems, and computer program products for monitoring and analyzing signaling messages associated with delivery of streaming media content to subscribers via a broadcast and multicast service (BCMCS)
US20070094142A1 (en) * 2005-10-25 2007-04-26 Tekelec Methods, systems, and computer program products for providing media content delivery audit and verification services
US20070124585A1 (en) * 2005-11-29 2007-05-31 Cisco Technology, Inc. Authorizing an endpoint node for a communication service
US20070165654A1 (en) * 2005-10-13 2007-07-19 Huawei Technologies Co., Ltd Method for managing a terminal device
US20070183382A1 (en) * 2006-02-03 2007-08-09 Radioframe Networks, Inc. Auto-discovery of a non-advertised public network address
US20070197216A1 (en) * 2005-03-09 2007-08-23 Huawei Technologies Co., Ltd. Method for locking terminal home
US20070245007A1 (en) * 2006-04-14 2007-10-18 Georgios Tsirtsis Automatic selection of a home agent
US7382748B1 (en) * 2001-10-24 2008-06-03 Nortel Networks Limited Assigning a dynamic home agent for a mobile network element
US7590732B2 (en) 2004-10-08 2009-09-15 Telefonaktiebolaget Lm Ericsson (Publ) Enhancement of AAA routing originated from a local access network involving intermediary network preferences
US20090276533A1 (en) * 2008-05-02 2009-11-05 Futurewei Technologies, Inc. Authentication Option Support for Binding Revocation in Mobile Internet Protocol version 6
KR100932785B1 (en) 2008-10-17 2009-12-29 주식회사 케이티 System providing integrated subscriber recognition in heterogeneous networks and mobile IP registration method for same
US20100097975A1 (en) * 2005-01-13 2010-04-22 Utstarcom, Inc. Method and apparatus to facilitate broadcast packet handling
US20100214975A1 (en) * 2005-06-20 2010-08-26 Sk Telecom Co., Ltd. Fast data-link connection method for saving connection time in cdma 2000 network
US20100330960A1 (en) * 2009-06-25 2010-12-30 Venkataramaiah Ravishankar Systems, methods, and computer readable media for third party monitoring and control of calls
US20110093604A1 (en) * 2008-08-07 2011-04-21 Hajime Zembutsu Communication system, server apparatus, information communication method, and program
US20110107403A1 (en) * 2008-08-07 2011-05-05 Hajime Zembutsu Communication system, server apparatus, information communication method, and program
US20120030741A1 (en) * 2008-09-28 2012-02-02 Huawei Technologies Co., Ltd Method for terminal configuration and management and terminal device
US8311552B1 (en) * 2004-02-27 2012-11-13 Apple Inc. Dynamic allocation of host IP addresses
US10412572B2 (en) * 2017-11-16 2019-09-10 Baidu Online Network Technology (Beijing) Co., Ltd. Device discovering method, apparatus and computer storage medium thereof
US11283798B2 (en) * 2016-07-18 2022-03-22 Telefonaktiebolaget Lm Ericsson (Publ) Network nodes and methods performed by network node for selecting authentication mechanism
US20240163668A1 (en) * 2022-11-14 2024-05-16 Honeywell International Inc. Apparatuses, computer-implemented methods, and computer program products for managing access of wireless nodes to a network

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1925431A (en) * 2005-08-31 2007-03-07 华为技术有限公司 Method for file host-host protocol service significance testing
DE102006006072B3 (en) 2006-02-09 2007-08-23 Siemens Ag A method for securing the authenticity of messages exchanged according to a Mobile Internet Protocol
US8189544B2 (en) * 2006-06-26 2012-05-29 Alcatel Lucent Method of creating security associations in mobile IP networks
US8561135B2 (en) 2007-12-28 2013-10-15 Motorola Mobility Llc Wireless device authentication using digital certificates
KR100957183B1 (en) 2008-08-05 2010-05-11 건국대학교 산학협력단 Mobile terminal authentication method in proxy mobile IP environment
KR101771437B1 (en) 2009-11-04 2017-08-28 삼성전자주식회사 Method for determining device according to contents attribute and providing contents to the device and electronic device using the same
US10097525B2 (en) * 2016-03-08 2018-10-09 Qualcomm Incorporated System, apparatus and method for generating dynamic IPV6 addresses for secure authentication

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030092425A1 (en) * 2001-11-09 2003-05-15 Docomo Communications Laboratories Usa, Inc. Method for securing access to mobile IP network
US20040083296A1 (en) * 2002-10-25 2004-04-29 Metral Max E. Apparatus and method for controlling user access
US20050076248A1 (en) * 2003-10-02 2005-04-07 Cahill Conor P. Identity based service system

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA2149688C (en) * 1994-06-30 1999-05-04 Bruce Merrill Bales Pre-location of authentication information in a personal communication system
US6625135B1 (en) 1998-05-11 2003-09-23 Cargenie Mellon University Method and apparatus for incorporating environmental information for mobile communications
US6567664B1 (en) * 1999-06-02 2003-05-20 Nokia Corporation Registration for mobile nodes in wireless internet protocols
JP2003101570A (en) * 2001-09-21 2003-04-04 Sony Corp Communication processing system and method, and its server device and computer program
US7286671B2 (en) 2001-11-09 2007-10-23 Ntt Docomo Inc. Secure network access method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030092425A1 (en) * 2001-11-09 2003-05-15 Docomo Communications Laboratories Usa, Inc. Method for securing access to mobile IP network
US20040083296A1 (en) * 2002-10-25 2004-04-29 Metral Max E. Apparatus and method for controlling user access
US20050076248A1 (en) * 2003-10-02 2005-04-07 Cahill Conor P. Identity based service system

Cited By (60)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7382748B1 (en) * 2001-10-24 2008-06-03 Nortel Networks Limited Assigning a dynamic home agent for a mobile network element
US20050091492A1 (en) * 2003-10-27 2005-04-28 Benson Glenn S. Portable security transaction protocol
US8190893B2 (en) * 2003-10-27 2012-05-29 Jp Morgan Chase Bank Portable security transaction protocol
US8583928B2 (en) 2003-10-27 2013-11-12 Jp Morgan Chase Bank Portable security transaction protocol
US20050136950A1 (en) * 2003-11-07 2005-06-23 Ntt Docomo, Inc. Mobile communication system, extension transmission/reception device, base station, radio network controller and mobile station
US7634293B2 (en) * 2003-11-07 2009-12-15 Ntt Docomo, Inc. Mobile communication system, extension transmission/reception device, base station, radio network controller and mobile station
US20050159157A1 (en) * 2004-01-20 2005-07-21 Nokia Corporation Authentications in a communication system
US9615246B2 (en) 2004-02-27 2017-04-04 Apple Inc. Dynamic allocation of host IP addresses
US8311552B1 (en) * 2004-02-27 2012-11-13 Apple Inc. Dynamic allocation of host IP addresses
US7298725B2 (en) * 2004-10-08 2007-11-20 Telefonaktiebolaget Lm Ericsson (Publ) Enhancement of AAA routing initiated from a home service network involving intermediary network preferences
US20060077925A1 (en) * 2004-10-08 2006-04-13 Telefonaktiebolaget Lm Ericsson (Publ) Enhancement of AAA routing initiated from a home service network involving intermediary network preferences
US20060077924A1 (en) * 2004-10-08 2006-04-13 Telefonaktiebolaget Lm Ericsson (Publ) Terminal-assisted selection of intermediary network for a roaming mobile terminal
US20060077926A1 (en) * 2004-10-08 2006-04-13 Telefonaktiebolaget Lm Ericsson (Publ) Home network-assisted selection of intermediary network for a roaming mobile terminal
US7590732B2 (en) 2004-10-08 2009-09-15 Telefonaktiebolaget Lm Ericsson (Publ) Enhancement of AAA routing originated from a local access network involving intermediary network preferences
US7551926B2 (en) 2004-10-08 2009-06-23 Telefonaktiebolaget Lm Ericsson (Publ) Terminal-assisted selection of intermediary network for a roaming mobile terminal
US7292592B2 (en) 2004-10-08 2007-11-06 Telefonaktiebolaget Lm Ericsson (Publ) Home network-assisted selection of intermediary network for a roaming mobile terminal
US20060168111A1 (en) * 2004-11-30 2006-07-27 Gidwani Sanjay M Distributed disparate wireless switching network
US7733822B2 (en) * 2004-11-30 2010-06-08 Sanjay M. Gidwani Distributed disparate wireless switching network
US20100097975A1 (en) * 2005-01-13 2010-04-22 Utstarcom, Inc. Method and apparatus to facilitate broadcast packet handling
US8229422B2 (en) * 2005-01-13 2012-07-24 Utstarcom, Inc. Method and apparatus to facilitate broadcast packet handling
US20060160524A1 (en) * 2005-01-20 2006-07-20 Utstarcom, Inc. Method and apparatus to facilitate the support of communications that require authentication when authentication is absent
US20070197216A1 (en) * 2005-03-09 2007-08-23 Huawei Technologies Co., Ltd. Method for locking terminal home
KR100848541B1 (en) 2005-05-13 2008-07-25 삼성전자주식회사 How to prevent replay attacks in Mobile IP version 6
US7764949B2 (en) * 2005-05-13 2010-07-27 Samsung Electronics Co., Ltd Method of preventing replay attack in mobile IPv6
US20060259969A1 (en) * 2005-05-13 2006-11-16 Samsung Electronics Co., Ltd. Method of preventing replay attack in mobile IPv6
US20100214975A1 (en) * 2005-06-20 2010-08-26 Sk Telecom Co., Ltd. Fast data-link connection method for saving connection time in cdma 2000 network
US8867505B2 (en) * 2005-06-20 2014-10-21 Sk Telecom Co., Ltd. Fast data-link connection method for saving connection time in CDMA 2000 network
US20070002787A1 (en) * 2005-06-30 2007-01-04 Vidya Narayanan Method of dynamically assigning mobility configuration parameters for mobile entities
US7808970B2 (en) * 2005-06-30 2010-10-05 Motorola, Inc. Method of dynamically assigning mobility configuration parameters for mobile entities
US7720463B2 (en) 2005-09-02 2010-05-18 Tekelec Methods, systems, and computer program products for providing third party control of access to media content available via broadcast and multicast service (BCMCS)
US20070124785A1 (en) * 2005-09-02 2007-05-31 Tekelec Methods, systems, and computer program products for providing third party control of access to media content available via broadcast and multicast service (BCMCS)
US20070067794A1 (en) * 2005-09-02 2007-03-22 Tekelec Methods, systems, and computer program products for monitoring and analyzing signaling messages associated with delivery of streaming media content to subscribers via a broadcast and multicast service (BCMCS)
WO2007027895A3 (en) * 2005-09-02 2009-04-30 Tekelec Us System for providing third party control of access to media content
WO2007027895A2 (en) * 2005-09-02 2007-03-08 Tekelec System for providing third party control of access to media content
US7961622B2 (en) 2005-09-02 2011-06-14 Tekelec Methods, systems, and computer program products for monitoring and analyzing signaling messages associated with delivery of streaming media content to subscribers via a broadcast and multicast service (BCMCS)
US20070165654A1 (en) * 2005-10-13 2007-07-19 Huawei Technologies Co., Ltd Method for managing a terminal device
US7889684B2 (en) * 2005-10-13 2011-02-15 Huawei Technologies Co., Ltd. Method for managing a terminal device
US20070094142A1 (en) * 2005-10-25 2007-04-26 Tekelec Methods, systems, and computer program products for providing media content delivery audit and verification services
US20090075635A1 (en) * 2005-10-25 2009-03-19 Tekelec Methods, systems, and computer program products for providing media content delivery audit and verification services
US7860799B2 (en) 2005-10-25 2010-12-28 Tekelec Methods, systems, and computer program products for providing media content delivery audit and verification services
US8086221B2 (en) * 2005-11-29 2011-12-27 Cisco Technology, Inc. Authorizing an endpoint node for a communication service
US20090183240A1 (en) * 2005-11-29 2009-07-16 Cisco Technology, Inc. Authorizing an Endpoint Node for a Communication Service
US20070124585A1 (en) * 2005-11-29 2007-05-31 Cisco Technology, Inc. Authorizing an endpoint node for a communication service
US7508794B2 (en) * 2005-11-29 2009-03-24 Cisco Technology, Inc. Authorizing an endpoint node for a communication service
US9059841B2 (en) * 2006-02-03 2015-06-16 Broadcom Corporation Auto-discovery of a non-advertised public network address
US20070183382A1 (en) * 2006-02-03 2007-08-09 Radioframe Networks, Inc. Auto-discovery of a non-advertised public network address
US20070245007A1 (en) * 2006-04-14 2007-10-18 Georgios Tsirtsis Automatic selection of a home agent
US8213934B2 (en) * 2006-04-14 2012-07-03 Qualcomm Incorporated Automatic selection of a home agent
US8370503B2 (en) * 2008-05-02 2013-02-05 Futurewei Technologies, Inc. Authentication option support for binding revocation in mobile internet protocol version 6
US20090276533A1 (en) * 2008-05-02 2009-11-05 Futurewei Technologies, Inc. Authentication Option Support for Binding Revocation in Mobile Internet Protocol version 6
US20110107403A1 (en) * 2008-08-07 2011-05-05 Hajime Zembutsu Communication system, server apparatus, information communication method, and program
US20110093604A1 (en) * 2008-08-07 2011-04-21 Hajime Zembutsu Communication system, server apparatus, information communication method, and program
US8191153B2 (en) * 2008-08-07 2012-05-29 Nec Corporation Communication system, server apparatus, information communication method, and program
US20120030741A1 (en) * 2008-09-28 2012-02-02 Huawei Technologies Co., Ltd Method for terminal configuration and management and terminal device
US8438616B2 (en) * 2008-09-28 2013-05-07 Huawei Technologies Co., Ltd. Method for terminal configuration and management and terminal device
KR100932785B1 (en) 2008-10-17 2009-12-29 주식회사 케이티 System providing integrated subscriber recognition in heterogeneous networks and mobile IP registration method for same
US20100330960A1 (en) * 2009-06-25 2010-12-30 Venkataramaiah Ravishankar Systems, methods, and computer readable media for third party monitoring and control of calls
US11283798B2 (en) * 2016-07-18 2022-03-22 Telefonaktiebolaget Lm Ericsson (Publ) Network nodes and methods performed by network node for selecting authentication mechanism
US10412572B2 (en) * 2017-11-16 2019-09-10 Baidu Online Network Technology (Beijing) Co., Ltd. Device discovering method, apparatus and computer storage medium thereof
US20240163668A1 (en) * 2022-11-14 2024-05-16 Honeywell International Inc. Apparatuses, computer-implemented methods, and computer program products for managing access of wireless nodes to a network

Also Published As

Publication number Publication date
WO2005036813A1 (en) 2005-04-21
KR101102228B1 (en) 2012-01-05
EP1676397A4 (en) 2012-01-18
CN1890917A (en) 2007-01-03
EP1676397A1 (en) 2006-07-05
KR20070003763A (en) 2007-01-05
CN1890917B (en) 2017-02-15

Similar Documents

Publication Publication Date Title
US20050079869A1 (en) Mobile node authentication
US7168090B2 (en) Mobile IP authentication
US8584207B2 (en) Infrastructure-less bootstrapping: trustless bootstrapping to enable mobility for mobile devices
US7475241B2 (en) Methods and apparatus for dynamic session key generation and rekeying in mobile IP
US7447182B2 (en) Discovering an address of a name server
US6956846B2 (en) System and method for foreign agent control node redundancy in a mobile internet protocol network
JP3964257B2 (en) System and method for allowing a simple IP mobile node to operate seamlessly by performing true roaming in a mobile IP network
US7152238B1 (en) Enabling mobility for point to point protocol (PPP) users using a node that does not support mobility
US7382748B1 (en) Assigning a dynamic home agent for a mobile network element
US7496057B2 (en) Methods and apparatus for optimizations in 3GPP2 networks using mobile IPv6
US8289929B2 (en) Method and apparatus for enabling mobility in mobile IP based wireless communication systems
WO2007011995A1 (en) Secure proxy mobile ip apparatus, system, and method
US7406317B2 (en) Maintaining a communications session with a mobile station
CN1905519A (en) Home agent apparatus and communication system
US8099597B2 (en) Service authorization for distributed authentication and authorization servers
EP2106591B1 (en) Solving pana bootstrapping timing problem
US20070064903A1 (en) Method and system for managing network resources
US7421077B2 (en) Mobile IP authentication
US8370503B2 (en) Authentication option support for binding revocation in mobile internet protocol version 6
CA2442711A1 (en) Method and system for discovering an address of a name server
WO2009054687A2 (en) Apparatus and method for fast establishing ip address in portable internet network based on proxy mobile ip
Liotta et al. A Prototype-based Evaluation of IP Technologies for Mobile VPN.
Wang et al. IPSec-based key management in mobile IP networks
CN1788504A (en) Methods and apparatus for the utilization of core based nodes for state transfer

Legal Events

Date Code Title Description
AS Assignment

Owner name: NORTEL NETWORKS LIMITED, CANADA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:KHALIL, MOHAMED;CHOWDHURY, KUNTAL;AKHTAR, HASEEB;REEL/FRAME:015873/0353

Effective date: 20041001

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION

点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载